William Lam

One of the huge benefits of VMware Cloud on AWS (VMC) is not only the ability to extend your existing on-premises environment and tap into the potentially unlimited capacity of the Cloud, but customers can continue to use the existing tools and scripts that they are already familiar with. When it comes to Automation, PowerCLI is still by far the most popular tool that our customers uses on a regular basis. With VMC, this is no different as the SDDC is simply made up of vSphere, vSAN and NSX which PowerCLI fully supports.

One learning curve that I have seen for some customers when working with VMC is around general provisioning and the implication of the restrictive permission model in VMC. Unlike your on-premises vSphere environment, in VMC, you are no longer running as a vSphere Administrator but rather a Cloud Administrator. This simply means you no longer have to worry about managing the underlying infrastructure (patch, upgrade, monitor, etc) and you get to focus deploying and managing your workloads.

What this technically translates to is that you are restricted to a particular part of the vSphere Inventory where you have permissions to actually deploy workloads. This is to help isolate your workloads and ensure that you do not negatively impact the VMware Management VMs by accident and thus affecting your SDDC.

From the Hosts/Clusters view, you must use the Compute-ResourcePool

From the VM view, you must use the Workloads Folder

From the Datastore view, you must use the WorkloadDatastore

When using the vSphere UI to deploy new workloads, the UI does a really good job of guiding you towards the right inventory objects, but this may not always be apparent when using the CLI or API, especially for new folks or folks who never use the UI 😉

When configuring connectivity from your on-premises environment to your VMware Cloud on AWS (VMC) NSX-T SDDC, you can either use a Direct Connect (DX) or a Route/Policy-based VPN. During the configuration, it can really be useful to have insights into the network routing table, especially if you need to verify a specific route or for general network debugging. Today, the NSX-T routing table in VMC is not currently available in the Network and Security UI, however this information can be retrieved using the NSX-T Policy API, which I have written about quite extensively here, here, here and here.

The NSX-T routing table can be retrieved by performing a GET operation on /policy/api/v1/infra/tier-0s/vmc/routing-table?enforcement_point_path=/infra/deployment-zones/default/enforcement-points/vmc-enforcementpoint By default, you will get the entire routing table, but you also filter out specific route sources such as BGP, Static or Connected routes by appending the following query parameter to the request URL ?route_source={BGP,CONNECTED,STATIC}

For PowerShell/PowerCLI users, I have a new Get-NSXTRouteTable function which will list the entire routing table by default as shown in the screenshot below.

You can also filter on a specific route source such as BGP, CONNECTED or STATIC routes by simply providing the -RouteSource argument and the route source type. In the screenshot below, I am only interested in the BGP routes.

Here is the output when running the list_vmc_nsxt_route_table.sh script which requires a valid CSP Refresh Token, OrgId and SDDCId

This has been a topic I have been wanting to write about for quite some time, especially as I get asked about this on fairly regular basis from both partners and customers. I normally point folks over to our official Virtual Appliance (VA) authoring tool, VMware Studio which includes a number of development resources to help get started. Studio is used by many of our partners when creating their VA offerings, although it may not be the easiest thing to get started with, it does provide a complete end-to-end solution.

Most recently, I found myself building out a couple of VAs for my own day to day use, including a custom PhotonOS OVA that allows me to configure a static network address during deployment through the use of custom OVF properties. The official PhotonOS OVA that VMware ships does not provide this option and automatically defaults to DHCP. If you want to setup a static IP Address, you would need to first deploy the VM and then login to the console or SSH (if you have DHCP enabled) and then manually update the networking settings.

For my use case, Studio was going to be overkill and not to mention it may not even support PhotonOS or other modern OSes in general. However, everything that is needed to build your own VA is actually available right in vCenter Server. This was the perfect opportunity and excuse for me to finally document *my* process, in case it can help others wanting to do the same, especially for a home lab setup. In Part 1, I will take you through the two important concepts of building your own VA and then in Part 2 and Part 3, we will take a look at building both a Linux and Windows VA. I will also publish a reference Linux and Windows implementation so that you can use that as a basis to build your own VA, which is not limited to just Linux or Windows, it can be ANY GuestOS that vSphere supports.

In VMware Cloud on AWS (VMC), the default behavior of the NSX-T Distributed Firewall (DFW) is to currently allow all traffic between compute workloads even across different logical networks (Segments). Today, the default behavior is currently not configurable and is something the NSX team is looking into with a few update of the VMC Service.

Having said that, it is actually pretty straight forward to create a new Deny All policy that would achieve the same desired behavior of blocking all traffic by default. Since this topic has come up a few times, I figure it would be useful to share the quick fix and big thanks to Michael Kolos, one of our VMC Customer Success Engineers who shared the original tidbit with me.

OVFTool is an extremely versatile command-line utility for importing and exporting Virtual Machines to and from the OVF/OVA format and it supports a number of VMware platforms including VMware Cloud on AWS (VMC), vSphere (vCenter Server and ESXi), Fusion, Workstation, Player and even vCloud Director (vCD).

An infrequent asks that I have seen from customers is the ability to deploy an OVF/OVA as a VM Template rather than just a Virtual Machine in a vSphere-based environment. OVFTool has had the ability to deploy to vAppTemplate for vCD-based environments, so it would make sense to also support vCenter Server VM Templates as well. Today, the workflow is a two-step process, deploy the OVF/OVA and then use the vSphere API to convert the VM to a VM Template.

With the latest OVFTool 4.3 Update 1 which was a minor release last year, we now have a new parameter called importAsTemplate which will allow customers to easily import an OVF/OVA directly into as a VM Template. Below is a quick sample using this new option and I am deploying to a VMC-based environment (see this article for requirements when using OVFTool with VMC)

Did you know VMware PhotonOS can also run on a Raspberry Pi (rPI) 3? I definitely did not until recently when I found out the latest 3.0 version also had an image for the rPI. This is great for anyone who is already familiar with PhotonOS and wish to run it in an even smaller form factor such as an rPI. There are definitely some interesting use cases for an rPI such as a tiny management host, troubleshooting tool for consultants or even a quick PowerShell/PowerCLI host that contains some basic tools and scripts which you can quickly access.

I was definitely interested in getting PowerShell and PowerCLI running on top PhotonOS on the rPI. Although you can already run PowerShell on an rPI using the Raspbian OS, the current distribution from Microsoft is actually only 32-Bit, which is a problem for PhotonOS as it is a 64-Bit OS. I was about to give up but while browsing the Microsoft PowerShell repo, I came across their upcoming PowerShell 6.2.0 (Preview) release which now looks to include a 64-Bit ARM build, which is exactly what I needed. For PowerCLI, although I was able to get the modules loaded, I was not able to connect to a vCenter Server or ESXi endpoint, you can find more details at the bottom of this post.

Below are the instructions for installing PhotonOS on the rPI and getting PowerShell setup:

Step 1 - Download and install the Etcher tool which will be used to flash our rPI

Primary Sidebar

Search this website

Author

William Lam is a Staff Solutions Architect working in the VMware Cloud on AWS team within the Cloud Platform Business Unit (CPBU) at VMware. He focuses on Automation, Integration and Operation of the VMware Software Defined Datacenter (SDDC).